Topic
  • 16 replies
  • Latest Post - ‏2013-05-09T08:48:27Z by grol
grol
grol
36 Posts

Pinned topic AAA post processing add username token doesn't work

‏2013-04-24T09:28:19Z |

Hi, 

I`m developing a custom AAA policy. 

I receive signing request, my AAA policy first verfy the sign and extracts the identity using the signer dn.

I have created a xsl for mapping credentials phase. Here it is the code,

 

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" >
<xsl:template match="/">
<entry>
<credentials>
sñdsdjfslñ
</credentials>
</entry>
<entry>
<username>
prov
</username>
</entry>
<entry>
<password>
prov
</password>
</entry>
</xsl:template>
</xsl:stylesheet>

In the post processing phase I want to strip the security header of the request and put a new security header with a username token with the user and password stablished in the MC phase but the new header is not added.

I`m lost because the system log doesn't sohw any errors.

I have attached the log.

Why is not working the Add WS-Security UsernameToken option?

 

Thanks in adnvance.

Regards,

 

 

Attachments

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-29T10:00:29Z  
    Nobody has replied yet.... :-(
     
    I have continued making test and I have changed the xsl template. Basically i put username and password  nodes in the same entry node. With this chage I can see in the system log a password has been found.I have noticed that if you markt "Run Custom Postprocessing style sheet" option the option add username token doesn't work.It this behavior normal or it is a bug?
    Thanks in advance.
    Regards.
    Updated on 2013-04-29T10:04:10Z at 2013-04-29T10:04:10Z by grol
  • kenhygh
    kenhygh
    2060 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-29T11:34:49Z  
    • grol
    • ‏2013-04-29T10:00:29Z
    Nobody has replied yet.... :-(
     
    I have continued making test and I have changed the xsl template. Basically i put username and password  nodes in the same entry node. With this chage I can see in the system log a password has been found.I have noticed that if you markt "Run Custom Postprocessing style sheet" option the option add username token doesn't work.It this behavior normal or it is a bug?
    Thanks in advance.
    Regards.

    Sorry nobody has replied, but since the problem is likely in your stylesheet and you haven't posted that, well, there's not a lot for us to work with.

    When you check 'run custom postprocessing', none of the other options work. This is normal, even if it's not what you or I want :-)  

    I think the developers assumed that if you're calling a custom stylesheet, you'll do everything needed in it.

    Ken

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-29T13:46:56Z  
    • kenhygh
    • ‏2013-04-29T11:34:49Z

    Sorry nobody has replied, but since the problem is likely in your stylesheet and you haven't posted that, well, there's not a lot for us to work with.

    When you check 'run custom postprocessing', none of the other options work. This is normal, even if it's not what you or I want :-)  

    I think the developers assumed that if you're calling a custom stylesheet, you'll do everything needed in it.

    Ken

    Thanks for the information.

    If the rest of the options doesn't work why  DP don't desactivate them when you choose "custom post processing"?

    Anyway I want to strip the income security header and put a username token header. First of all I want to say I don't have any experience with xslt templates.

    I'm developing a xslt that I haven't finish yet. I attach it.

    Someone have the addUserNameToken which datapower is using to add this header?

    This might help me.

    Thanks.

    Regards Guillermo.

     

    Attachments

    Updated on 2013-04-29T13:47:30Z at 2013-04-29T13:47:30Z by grol
  • kenhygh
    kenhygh
    2060 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-29T15:40:07Z  
    • grol
    • ‏2013-04-29T13:46:56Z

    Thanks for the information.

    If the rest of the options doesn't work why  DP don't desactivate them when you choose "custom post processing"?

    Anyway I want to strip the income security header and put a username token header. First of all I want to say I don't have any experience with xslt templates.

    I'm developing a xslt that I haven't finish yet. I attach it.

    Someone have the addUserNameToken which datapower is using to add this header?

    This might help me.

    Thanks.

    Regards Guillermo.

     

    Your stylesheet looks like a good start.

    To see the various variables available to your stylesheet, run it with the probe enabled, and look at context variables AFTER your AAA action is called. There's a bunch of AAA related variables for your use.

    Ken

  • swlinn
    swlinn
    1395 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-29T18:11:51Z  

    I'm trying to catch all the points of this thread in one post.  Each step in AAA gets a specific nodeset depending upon the specific step as it's input.  Only the EI step and ER step will see the action's input context as a custom xsl's input.  You provided your Map Credential stylesheet in the first post, but I believe the schema on that input is

    <credentials><entry type="sometype">credentials</entry> ... one or more entries ... </credentials>

    You stylesheet specifies the first output node as an entry with the credentials node as a child element which is invalid.

    Finally, post processing gets a schema that specifies everything about the previous AAA steps.  You will NOT see your AAA action's INPUT context, so your xsl you're trying to provide in the post processing step isn't valid.  You should have your AAA succeed or fail based upon a successful AU and AZ steps, and if AAA succeeds, then a transformation action should follow that transforms your input.

    As Ken points out the AAA context variables are very helpful in debugging, and if you do specify a custom stylesheet at any of the AAA steps, click on the AAA action itself in the probe and you'll see the input and output nodeset to each step.

    Hope this helps ...

    Steve

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T10:45:48Z  
    • swlinn
    • ‏2013-04-29T18:11:51Z

    I'm trying to catch all the points of this thread in one post.  Each step in AAA gets a specific nodeset depending upon the specific step as it's input.  Only the EI step and ER step will see the action's input context as a custom xsl's input.  You provided your Map Credential stylesheet in the first post, but I believe the schema on that input is

    <credentials><entry type="sometype">credentials</entry> ... one or more entries ... </credentials>

    You stylesheet specifies the first output node as an entry with the credentials node as a child element which is invalid.

    Finally, post processing gets a schema that specifies everything about the previous AAA steps.  You will NOT see your AAA action's INPUT context, so your xsl you're trying to provide in the post processing step isn't valid.  You should have your AAA succeed or fail based upon a successful AU and AZ steps, and if AAA succeeds, then a transformation action should follow that transforms your input.

    As Ken points out the AAA context variables are very helpful in debugging, and if you do specify a custom stylesheet at any of the AAA steps, click on the AAA action itself in the probe and you'll see the input and output nodeset to each step.

    Hope this helps ...

    Steve

    Thank you very much for the replies

    I have made some changes in my two xsl templates following your advice but the outcome is Wssec without username.

    <wsse:UsernameToken

    >

    • <wsse:Username />

    </wsse:UsernameToken>

    Despite of this in the log I can see,

     Found username/password in MapCredentials output

     

    On change is in post processin xsl I write a xpath expression to catch the value of the username,

    select="/container/mapped-credentials/entry/username/text()"

    I think tihis is a correct xpath but I don know why the username isn't write in the template match command...

    and the second is to correct the schema as swlinn said to me.

    What's wrong in my code?

    Thanks for your patience.

    Regards.

    Attachments

    Updated on 2013-04-30T10:46:29Z at 2013-04-30T10:46:29Z by grol
  • kenhygh
    kenhygh
    2060 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T12:10:46Z  
    • grol
    • ‏2013-04-30T10:45:48Z

    Thank you very much for the replies

    I have made some changes in my two xsl templates following your advice but the outcome is Wssec without username.

    <wsse:UsernameToken

    >

    • <wsse:Username />

    </wsse:UsernameToken>

    Despite of this in the log I can see,

     Found username/password in MapCredentials output

     

    On change is in post processin xsl I write a xpath expression to catch the value of the username,

    select="/container/mapped-credentials/entry/username/text()"

    I think tihis is a correct xpath but I don know why the username isn't write in the template match command...

    and the second is to correct the schema as swlinn said to me.

    What's wrong in my code?

    Thanks for your patience.

    Regards.

    <wsse:Username><xsl:value-of select="@user" /></wsse:Username>

    should be

    <wsse:Username><xsl:value-of select="$user" /></wsse:Username>

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T12:56:38Z  
    • kenhygh
    • ‏2013-04-30T12:10:46Z

    <wsse:Username><xsl:value-of select="@user" /></wsse:Username>

    should be

    <wsse:Username><xsl:value-of select="$user" /></wsse:Username>

     

    ups! that's a stupid error.
     
    I corrected the error but nothing has changed.

     

     

    Updated on 2013-04-30T12:57:09Z at 2013-04-30T12:57:09Z by grol
  • swlinn
    swlinn
    1395 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T13:24:45Z  
    • grol
    • ‏2013-04-30T12:56:38Z

     

    ups! that's a stupid error.
     
    I corrected the error but nothing has changed.

     

     

    So here's your template in question ...

      <xsl:template match="wsse:Security">
        <!-- strip Security -->
                    <xsl:copy-of select="@*" />
                     <wsse:UsernameToken>
                        <wsse:Username><xsl:value-of select="$user" /></wsse:Username>
                        
                    </wsse:UsernameToken>
      </xsl:template>

    By your comment I assume you don't want the wsse:Security element, but regardless you're doing a copy of all attributes of the wsse:Security element?  I'd first remove that as this will be putting a bunch of nodes into your output without its parent element.

    Regards,

    Steve

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T13:54:03Z  
    • swlinn
    • ‏2013-04-30T13:24:45Z

    So here's your template in question ...

      <xsl:template match="wsse:Security">
        <!-- strip Security -->
                    <xsl:copy-of select="@*" />
                     <wsse:UsernameToken>
                        <wsse:Username><xsl:value-of select="$user" /></wsse:Username>
                        
                    </wsse:UsernameToken>
      </xsl:template>

    By your comment I assume you don't want the wsse:Security element, but regardless you're doing a copy of all attributes of the wsse:Security element?  I'd first remove that as this will be putting a bunch of nodes into your output without its parent element.

    Regards,

    Steve

    You are right. I removed the copy command. Now the backend recognize the header but the username and password are still missing on it. 

    the value of the var://context/WSM/identity/credentials is 'proveedorproveedor'

    and var://context/WSM/identity/username is empty.

    Despite of this in system log I can see,

     Found username/password 

    I think I don't write the user and pass in the right place.

     

    Regards.

  • RolfRander
    RolfRander
    39 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T14:15:59Z  
    • swlinn
    • ‏2013-04-29T18:11:51Z

    I'm trying to catch all the points of this thread in one post.  Each step in AAA gets a specific nodeset depending upon the specific step as it's input.  Only the EI step and ER step will see the action's input context as a custom xsl's input.  You provided your Map Credential stylesheet in the first post, but I believe the schema on that input is

    <credentials><entry type="sometype">credentials</entry> ... one or more entries ... </credentials>

    You stylesheet specifies the first output node as an entry with the credentials node as a child element which is invalid.

    Finally, post processing gets a schema that specifies everything about the previous AAA steps.  You will NOT see your AAA action's INPUT context, so your xsl you're trying to provide in the post processing step isn't valid.  You should have your AAA succeed or fail based upon a successful AU and AZ steps, and if AAA succeeds, then a transformation action should follow that transforms your input.

    As Ken points out the AAA context variables are very helpful in debugging, and if you do specify a custom stylesheet at any of the AAA steps, click on the AAA action itself in the probe and you'll see the input and output nodeset to each step.

    Hope this helps ...

    Steve

    is there any documentation available on which nodeset is sent to the different steps in the AAA-policy?

     

    regards, rolf rander

  • swlinn
    swlinn
    1395 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T14:50:24Z  

    is there any documentation available on which nodeset is sent to the different steps in the AAA-policy?

     

    regards, rolf rander

    Hi Rolf,

    Unfortunately, I've not seen any external documentation.  What I've done in the past is to put store://identity.xsl in each step where you could have a custom xsl.  Then you can click on the AAA actioin itself in the probe and look at the input document for each step.

    Regards,

    Steve

  • swlinn
    swlinn
    1395 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-04-30T14:56:26Z  
    • grol
    • ‏2013-04-30T13:54:03Z

    You are right. I removed the copy command. Now the backend recognize the header but the username and password are still missing on it. 

    the value of the var://context/WSM/identity/credentials is 'proveedorproveedor'

    and var://context/WSM/identity/username is empty.

    Despite of this in system log I can see,

     Found username/password 

    I think I don't write the user and pass in the right place.

     

    Regards.

    Can you attach your latest xsl?  You're mentioning password but your code only had a username child element.  And where exactly are your executing this stylesheet?

    As for your question:

    the value of the var://context/WSM/identity/credentials is 'proveedorproveedor'

    ===> if you were to look at the copy-of instead of the value-of this context variable, you'll see the nodeset that comes from your MC stylesheet.  Value-of will simply concat the two elements strings together which is what you're seeing.

    and var://context/WSM/identity/username is empty.

    ===> So what do you have in your EI step?  If you're setting this up in a custom MC step, your identity variable could very well be empty.

    Regards,

    Steve

     

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-05-07T10:20:56Z  
    • swlinn
    • ‏2013-04-30T14:56:26Z

    Can you attach your latest xsl?  You're mentioning password but your code only had a username child element.  And where exactly are your executing this stylesheet?

    As for your question:

    the value of the var://context/WSM/identity/credentials is 'proveedorproveedor'

    ===> if you were to look at the copy-of instead of the value-of this context variable, you'll see the nodeset that comes from your MC stylesheet.  Value-of will simply concat the two elements strings together which is what you're seeing.

    and var://context/WSM/identity/username is empty.

    ===> So what do you have in your EI step?  If you're setting this up in a custom MC step, your identity variable could very well be empty.

    Regards,

    Steve

     

    Sorry for the delay, I was on holidays.

    I executing addUserClave.xsl template in the MC phase and quitaSingPonUNT_2.xsl in post processing phase.

    You are right I have forgotten to put the password variable in the code. I corect this and now the wssec header has username and password on it.

    But this header is not well built. The error I get when I try to call the service is 

    "The security token could not be authenticated or authorized; nested exception is: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: T ....."

    The result header is,

    <soapenv:Header>

     

    </soapenv:Header>

     

    I think the xmlns references are in wrong order.

    How can I put the right xmlns references?

    I attach the last version of quitaSingPonUNT_2.xsl template.

    Thank you very much. I really appreciate your effort.

    Best regards,

    Guillermo

     

    Attachments

    Updated on 2013-05-07T10:21:43Z at 2013-05-07T10:21:43Z by grol
  • swlinn
    swlinn
    1395 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-05-07T15:53:26Z  
    • grol
    • ‏2013-05-07T10:20:56Z

    Sorry for the delay, I was on holidays.

    I executing addUserClave.xsl template in the MC phase and quitaSingPonUNT_2.xsl in post processing phase.

    You are right I have forgotten to put the password variable in the code. I corect this and now the wssec header has username and password on it.

    But this header is not well built. The error I get when I try to call the service is 

    "The security token could not be authenticated or authorized; nested exception is: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is org.apache.ws.security.WSSecurityException: T ....."

    The result header is,

    <soapenv:Header>

     

    </soapenv:Header>

     

    I think the xmlns references are in wrong order.

    How can I put the right xmlns references?

    I attach the last version of quitaSingPonUNT_2.xsl template.

    Thank you very much. I really appreciate your effort.

    Best regards,

    Guillermo

     

    Hi Guillermo,

    The wssec spec is at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf.  It shows the wsse name spaces, namely,

    wsse http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
    wsu http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

    which is what you have in your code, so I believe the namespaces to be ok.  Your code is replacing an existing wsse:Security element with the one you provide, but is not handling the case where the message had no wsse:Security element to start with.  To handle that case, you'll need to have a template for the parent of wsse:Security (ie, soap:Header) and check for the existance of a child element wsse:Security and if not there you would need to inject it in the processing of the soap:Header.  If it is there, do nothing as your existing template will handle it.

    If that isn't the problem, then is there any information your backend can provide?  Can you see your final request message going to your backend to see the soap:Header looks ok?

    Regards,
    Steve

  • grol
    grol
    36 Posts

    Re: AAA post processing add username token doesn't work

    ‏2013-05-09T08:48:27Z  
    • swlinn
    • ‏2013-05-07T15:53:26Z

    Hi Guillermo,

    The wssec spec is at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf.  It shows the wsse name spaces, namely,

    wsse http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
    wsu http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

    which is what you have in your code, so I believe the namespaces to be ok.  Your code is replacing an existing wsse:Security element with the one you provide, but is not handling the case where the message had no wsse:Security element to start with.  To handle that case, you'll need to have a template for the parent of wsse:Security (ie, soap:Header) and check for the existance of a child element wsse:Security and if not there you would need to inject it in the processing of the soap:Header.  If it is there, do nothing as your existing template will handle it.

    If that isn't the problem, then is there any information your backend can provide?  Can you see your final request message going to your backend to see the soap:Header looks ok?

    Regards,
    Steve

    Thanks swlinn for the info.

    After a few test I can say that my xls works well. The problem was in the backend.

    Now the process is working.

    For other people who has this problem another simple solution is not to choose custom xsl in post processing and check add username option instead. The result is a message with two ws-sec headers. To solve this you have to add a transform phase in the policy with the strip-security-header.xls template.

    Thank you everybody for your help.

    Regards,

    Guillermo.